Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors
- Reply: Bryan Drewery : "Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors"
- Reply: Matteo Riondato : "Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors"
- In reply to: Kristof Provost : "Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 07 Oct 2022 10:13:48 UTC
> On 3 Oct 2022, at 18:13, Bryan Drewery wrote:
>> I think there's still a problem here.
>>
>> pfctl -a '*' -sr works
>> pfctl -a 'name/*' -sr does not.
>>
So I’ve looked at this a bit more, and I am now going to back away
from the whole anchor thing, and try to pretend I didn’t see any of
the tentacled horrors that lurk within.
To give you an idea of the issues, loading the following ruleset:
anchor "foo" {
anchor "bar" {
pass in
}
}
does exactly what you’d expect:
# pfctl -sr -a "*"
anchor "foo" all {
anchor "bar" all {
pass in all flags S/SA keep state
}
}
# pfctl -sr -a "foo/*"
anchor "bar" all {
pass in all flags S/SA keep state
}
However, if we `pfctl -Fr` to flush all rules:
# pfctl -Fr
rules cleared
# pfctl -sr -a "*"
# pfctl -sr -a "foo/*"
anchor "bar" all {
pass in all flags S/SA keep state
}
Unloading pf to actually delete the bar anchor, and then we set:
anchor “foo”
And then
# echo "pass" | pfctl -g -f - -a "foo/bar"
# pfctl -sr -a "*"
anchor "foo" all {
}
# pfctl -sr -a "foo/*"
# pfctl -sr -a "foo/bar"
pass all flags S/SA keep state
There are a lot of issues there, and it’ll take a lot of time and
effort to root them out. My plan is to drink heavily and attempt to
forget.
Kristof